\documentclass[A4,12pt]{article}
\usepackage{times}
\usepackage{enumerate}
\usepackage{amsmath}
\usepackage{graphicx}
%\usepackage{setspace}
%\doublespacing
%\numberwithin{equation}

\begin{document}
%
% paper title
% can use linebreaks \\ within to get better formatting as desired
\title{Enhancement of Two Robust Remote User Authentication Protocols using Smart Cards}


\author{Chin-Chen Chang, Hai-Duong Le, Chia-Yin Lee, Chin-Hsiang Chang}% <-this % stops a space







% make the title area
\date{}
\maketitle


\begin{abstract}
%\boldmath

\textbf{Keywords:} authentication, key agreement, untraceability, anonymity, smart card, mobile communication
\end{abstract}

\section{Introduction}
	
	The notation used in this papers are listed in the following.
	
	\begin{tabular} {l p{13cm}}
	$U$ & the user \\
	$ID$ & the identity of $U$ \\
	$PW$ & the password of $U$ \\
	$S$ & the remote server \\ 
	$x$ & a long term secret key of $S$ \\
	$h(\cdot)$ & a public one-way hash function \\
	$E_x(\cdot)$, $D_x(\cdot)$ &  secure symmetric encryption, decryption algorithms with the secret key $x$ \\
	$r$, $n$ & two random numbers \\
	
	\end{tabular}

\section{Related work}

\subsection{Review of Yeh et al.'s scheme}

\subsubsection{Registration phase}
In this phase, the user $U$ initiates communication with the server $S$ by sending the registeration request $\{ID, h(PW), r\}$ over a secure channel, where $PW$ and $r$ are the password and the random number chosen by $U$, respectively. Upon receive the request from $U$, the server computes the following parameters:

$$N=h(r \| x) \oplus h(PW)$$
and $$Y=h(ID \| h(r \| x))) \text{ ,}$$
where $x$ is the server's long term secret key. Then, the server $S$ issues a smart card containing $\{r, N, Y, h(\cdot)\}$ to the user $U$.

\subsubsection{Login and authentication phase}
To start the login process, the user $U$ inserts his smart card into a card reader and provides the card reader with his identity $ID$ and password $PW$. In this phase, the smart card has two main tasks. The first task is to verify the given $ID$ and $PW$; it will reject the login request if either $ID$ or $PW$ is invalid. The second task is to initiate and establish a secure and mutual authenticated session with the server $S$. 

The smart card verifies the user's identity $ID$ and the password $PW$ as follows:

\begin{itemize}
\item It first derives the hash value $h(r \| x)'$ from $N$, where $h(r \| x)' = N \oplus h(PW)$. Next, it computes $Y'=h(ID \| h(r \| x)')$.
\item The smart card checks whether $Y'$ matches $Y$, which is stored in the smart card memory. If the values are not identical, the request login is rejected by the smart card; otherwise, the smart card continues the login procedure.
\end{itemize}

After authenticating the user $U$, the smart card performs initiating and establishing an authenticated session with the server $S$ as follows:

\begin{enumerate}[Step 1]

\item  The smart card choose a nonce $n$ and computes the following parameters:
$$K = h(r \| x)' \oplus n \text{ ,}$$
$$L = ID \oplus h(h(r \| x)'  \| n) \text{ ,}$$
and $$CID = h(ID \| n) \text{ .}$$
Afterwards, the smart card sends the login request message
\begin{equation}
\label{1}
\tag{1}
\{CID, r, K, L\}
\end{equation}
to the server $S$.

\item Once receiving the login request from the user $U$, the server derives the identity $ID'$ of the user by using its long-term secret $x$ as follows:
$$ID' = h(M \| n') \oplus L \text{ ,}$$
where $$M = h(r \| x) \text{ ,and } n' = M \oplus K$$
Subsequently, it computes the value $CID' = h(ID' \| n')$ and compares $CID'$ with the received $CID$. If they are equal, the server is confident that $U$ is valid; otherwise, $S$ rejects the login request. In the case $U$ is a legitimate user, $S$ computes $a' = h(h(n' \| ID' \| h(r \|x)'))$ and sends the response message
\begin{equation}
\label{2}
\tag{2}
\{a'\}
\end{equation}
to the smart card. The server computes the session key $SK =h(h(n') \| h(r \| x)')$.

\item When the response from the server arrives, the smart card computes $a = h(h(n \| ID \| h(r \|x)))$. If $a$ is equal to $a'$, the smart card trusts that $S$ is valid and constructs the session key $SK =h(h(n) \| h(r \| x))$.
\end{enumerate}

Finally, the server $S$ and the user $U$ are mutually authenticated and share the session key $SK$ for the secure communication that follows. 

\subsubsection{Password Changing Phase}
In password changing phase, the smart card first performs user verification similarly to its first task in the login phase. If the user provides valid $ID$ and $PW$, the smart will ask $U$ to enter his new password $PW^*$ and replace the value $N$, in its memory, with $N^* = N \oplus h(PW) \oplus h(PW^*)$. Afterwards, the password is changed without the server's assistance.

\subsection{Vulnerabilities of Yeh et al.'s scheme}
In this section, we analyze the security issues in Yeh et al.'s scheme. We first give evidence that this scheme does not provide mutual authentication between the server and its users because Yeh et al.'s scheme is subjected to \emph{replay attack} in login phase. This makes the server to accept any login request which is replayed by an adversary. Consequently, the adversary is able to \emph{masquerade} any legitimate user to access the server. Moreover, the scheme is susceptible to \emph{off-line password guessing attack}. 

\subsubsection{Replay attack}

\subsubsection{Masquerade attack}

\subsubsection{Off-line password attack}

\subsection{Remedy for Yeh et al.'s scheme}
\subsubsection{Registration Phase}
In order to register with the server $S$, the user $U$ first chooses a password $PW$ and a random number $r$; then, he submits $\{ID, h(PW), r\}$ to the server over a secure channel. 

Once receiving the registration request, the server $S$ issues to $U$ a smart card containing $\{r, N, Z, h(\cdot)\}$, where $x$ is the server's long-term secret key, 
$$N = h(r \| x) \oplus h(PW) \text{ ,}$$
 and $$Z=h(ID\| x) \oplus h(PW) \text{ .}$$

\subsubsection{Login Phase}
When the user $U$ wants to login into the server $S$, he inserts his smart card into a card reader and enters his $ID$, $PW$ to the terminal. Starting from this point, the smart card is responsible in contacting the server $S$ and establishing mutual authentication with it. The protocol is described as follows:

\begin{enumerate}[Step 1]
\item The smart card uses the given password to obtain $h(r \| x)' = N \oplus h(PW)$, $h(ID \| x)' = Z \oplus h(PW)$. It then generates a random nonce $n_1$ and computes the following parameters:
$$K = h(r \| x)' \oplus n_1 \text{ ,}$$ 
$$L = ID \oplus h(n_1) \text{ ,}$$
and $$CID = h(h(ID \| x)' \| n_1) \text{ .}$$
Then, the smart card sends the login request message
\begin{equation}
\label{1a}
\tag{1a}
\{CID, r, K, L\}
\end{equation}
to the server $S$.

\item Upon receiving message $(1a)$, the server computes $M = h(r \| x)$. $S$ derives $n_1'$ and $ID'$ as follows
$$n_1' = K \oplus M \text{ ,}$$ 
and $$ID' = L \oplus h(n_1') \text{ .}$$
The server then computes $CID' = h(h(ID' \| x) \| n_1')$ and compares it with the received value $CID$. If they are not equal, $S$ notices the user for failed login and terminates the session. In the case $CID' = CID$, it chooses a random nonce $n_2$ and computes 
$$M_{S1} = h(n_1' \| h(r \| x)) \oplus n_2\text{ ,}$$ 
and $$M_{S2}= h(n_1' \| n_2 ) \text{ .}$$

$S$ then sends the response message 
\begin{equation}
\label{2a}
\tag{2a}
\{M_{S1}, M_{S2}\}
\end{equation}
to the smart card.

\item Once receiving the response from $S$, the smart card derives $n_2'=M_{S1} \oplus h(n_1 \| h(r \| x)')$. It then verifies whether $h(n_1 \| n_2')$ is equal to $M_{S2}$. If it does not hold, the smart card terminates the session; otherwise, it believes that the server is authentic. The smart card computes the shared session-key $SK = h(n_2' \oplus n_1)$ and sends 
\begin{equation}
\label{3a}
\tag{3a}
\{M_{U} = h(n_2' + 1)\}
\end{equation}
to the server $S$.

\item Upon receiving message $(3a)$, $S$ verifies $M_U$ by computing $h(n_2 +1)$. If $M_U$ is valid, the server trusts that $U$ is a legitimate user. Then, it computes the session-key $SK = h(n_2 \oplus n_1' )$.

\end{enumerate}

At this point, the server $S$ and the user $U$ both succeed in authenticating each other. And they share a session-key $SK$ for subsequent communications.

\emph{Note:} In our scheme, the user's identity and password are verified by the server; unlike Yeh et al.'s scheme, where they are verified by the smart card at the very beginning of login phase.  At the server side, we can set a limit the number of failed login attempts over a period of time. By doing so, we can prevent both on-line and off-line password-guessing attacks. 

\subsection{Password Changing}
When the user $U$ needs to change his password, $U$ first login into the server $S$; then, he can request to change his password. The smart card replace the old password $PW$ with the new one, $PW^*$, simply by replace $N$ with $N^* = N \oplus PW \oplus PW^*$ in the card's memory.


\section{The Proposed Scheme featuring Untraceability}
In Yeh et al.'s scheme, the login request message (1) contains a fixed value $r$ for all the sessions. 

The registration phase and password changing phase are the same as in the first proposed scheme. We only make  amendment in login phase so that the scheme can provide untraceability feature. We describe the login phase as follows:

\begin{enumerate}[Step 1]

\item To login into the server $S$, the user $U$ inserts his smart card into the card reader. The smart card then prompts the user for his identity $ID$ and password $PW$. After the smart card derives $M' = h(r \| x)' = N \oplus h(PW)$, and $h(ID \| x)' = Z \oplus h(PW)$, it chooses a random nonce $r$ and sends the message 
\begin{equation}
\label{1b}
\tag{1b}
\{CID, r, K, L\}
\end{equation}
to the server $S$, where
$$K = h(r \| x)' \oplus n_1 \text{ ,}$$
$$L = ID \oplus h(n_1) \text{ ,}$$
and $$CID =h(h(ID \| x)' \| n_1) \text{ .}$$

\item Upon receiving the message $(1b)$, the server obtains $n_1'$ and $ID'$ by computing
$$n_1' = M \oplus K \text{ ,}$$
$$ID' = L \oplus h(n_1')$$
where $$M = h(r \| x) \text{ .}$$
Next, the server computes $CID' = h(h(ID' \| x) \| n_1')$ and verifies $CID$. If $CID'$ differs from $CID$, the server terminates the session; otherwise, it chooses random nonces $n_2$ and $r'$. Then, it sends
\begin{equation}
\label{2b}
\tag{2b}
\{M_S\}
\end{equation}
to the user $U$, where
$$M_S = E_M(r' \| h(r' \| x) \| n_1' \| n_2) \text{ ,}$$
and $E_M(\cdot)$ is a symmetric key encryption using the key $M = h(r \| x)$.

\item After receiving message $(2b)$, the smart card decrypt $M_S$ using $M = h(r \| x)$ as the key; thus, it obtains $r', h(r' \| x), n_1', n_2$. The smart card then verifies $M_S$ by comparing $n_1'$ from the decryption with $n_1$. If $M_S$ is valid, the smart card believes that it successfully authenticates the server. It then sends the message
\begin{equation}
\label{3b}
\tag{3b}
\{M_U\}
\end{equation}
to the server, where $M_U = h(n_2 + 1)$.
Next, the smart card computes the session-key $SK = h(n_2 \oplus n_1)$. Finally, it replaces $r$ with the new value $r'$, $N$ with $N' = h(r'  \| x) \oplus h(PW)$ in its memory. 

\item The server verifies the message $M_U$. If $M_U$ is valid, the server believes that $U$ is a valid user. It then computes the session-key $SK = (n_2 \oplus n_1)$.

Eventually, $S$ and $U$ are mutually authenticated and share the session-key $SK$. 

\emph{Note:} In Step $3$, the value $r$ and $N$ are replaced by value newly generated by the server. In every login, the value of $r$ is renewed; thus, it is not possible to tell whether two login requests originates from one user or not. This provides the scheme with untraceability feature.

\end{enumerate}



\subsection{Registration Phase}

\subsection{Login Phase}
\subsection{Password-changing phase}

\section{Security Analysis}

\section{Performance Analysis}

\section{Conclusions}

\bibliographystyle{plain}
\bibliography{science}

\end{document}


